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T able 1 . General S pecifications 
Content Scramble 

Object of scramble Packed data (as defined in ISO/IEC 13818-1) 


Scramble/ Non-scramble 


Scramble/Encryption 

process 


Descramble/Decryption 

process 


Key Selection 


selectable Video Title Set (VTS) by VTS (as defined in "DVD 
Specifications for Read-Only disc ; PartS Video Specifications) 

AV Data is scrambled using Title Key. 

Title Key is encrypted using Disc Key. 

i 

Disc Key is encrypted using Master Key. 

Disc Key is reproduced using Master Key. 

Title Key is reproduced using Disc Key. 

AV Data is reproduced using Title Key. 

Master Key is predetermined for DVD Content Scramble System. 
Disc Key is chosen for each Side^^isc. 

Title Key is chosen for each 


Algorithms 


Secret Disc Key enci^ 
Secret Title Key enew^ 
Secret AV DatsOscram^ 


i/deM^tion algorithm 
fk^d^ryption algorithm 
lescramble algorithm 


Disc K( 


jtle Key encryption is conducted in Key 


lule. 


Security Management 


AV^^^rambling is conducted by a black box. 

Di^sc Key and Title Key decryption and AV Data descrambling is 
I^nducted in a protected module in DVD Video Player or Decoder 

card. 


Bus-:Authenticatiph 


and BusJ^Enciyption 


Authentication Challenge-response mutual authentication 


Key sharing 


As the result of authentication, DVD-ROM Drive and Decoder 
Card have the same time variable Bus Key. 


Bus-Encryption/Decrypti Secured Disc Key data and Encrypted Title Key are 
on encrypted/decrypted using the time variable Bus Key. 

- Secret oneway functions for mutual authentication 

- Secret oneway function for generating time variable Bus Key 

Algorithms ^ Authentication Control Code, which is chosen for each side of 

disc, selects these oneway functions. 


DO NOT COPY 


©Copyright 1996, All rights reserved. 

GEN-3 


CONFTOENTI AL 


HIGHLY CONFIDENTIAL-ATTORNEYS EYES ONLY 


DVD CCA 


200294 





DVD Content Scramble System / Parti : General Specifications Version 0.9 October 1996 


1.4 Terminologies (T.B.D) 

Scramble : the process of disguising a AV Data as to hide its substance 
Descramble : inverse of Scramble 

Encryption : the process of disguising a special data (for example a key) as to hide its 
substance 

Decryption : inverse of Encryption 

Key : the data for which used in Scramble/Descramble or Encryption/Decryption 
2 System Architecture 

2.1 Framework of 'DVD Content Scramble System" 


Encryption Keys 

- Three keys are used for each prerecorded work: a Master Key, a Disc Key, and a Title Key. 
An Authentication Control Code is also used for each prerecorded work. The Authentication 
Control Code is utilized only in the computer envirmi^nt, as a part of the internal 
authentication process during transmission of the^®^^"H^s to the descrambler and 

associated decoder. 


Encryption IDecryption process 

- For each work that a copyright ow^^'^^hes to subject to this system, encryption would 
proceed as follows: ^ 

(1) the content would using Title Key and the algorithms and related 

system technoloeyr-v^e^ owner would determine Title Key on its own. 

The done at disc replication facilities. 

(2) Title be encrypted using Disc Key. Encrypted Title Key 

would be record^ in the Sector Header area, which is a "hidden" area. ( Hidden here 
and elsewhere in this part means that the area is not readily accessed by the user.) This 

step is done by using Title Key Encryption Module. 

(3) Disc Key would be converted to "Secured Disc Key data" - effectively encrypting 
this key - using Disc Key Protection Module that has Master Keys. The Secured Disc 
Key data would be written in the hidden area of the disc called the "Lead-in Area". 

(4) Authentication Control Code is provided on the disc for use in the authentication process 
applicable to DVD-ROM devices connected in the computer environment. This Code is 
used to transmit the other keys to the descrambler and associated decoder and is 
independent of the content scrambling/encryption process itself. 

NOTE: The security of the scrambling/encryption process used by studios and disc 
replication facilities is maintained through both the separate application of keys not 
necessarily held by the same party and the sealing of the Data Scramble, Title Key 
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Encryption, and Disc Key Protection Logic function in hardware. 

- For playback by DVD Video Player (stand-alone) device, descrambling would be 
accomplished through the following process: 

1) Disc Key Recovery Logic in the descrambler would read Secured Disc Key data 

from the hidden Lead-in Area, recovering Disc Key, 

2) Descrambler would then read (decrypt) Encrypted Title Key from the hidden 

Sector Header, 

3) Descrambler would then descramble the audio-video data in real time for playback. 
NOTE: (1) DVD Video Player is expected to have decryption capability, (2) All 
descrambling and decoding functions can be performed either in hardware or through the use 

of tamper resistant software. 

. Play back though a DVD-ROM drive and DVD AudioA^id^ Decoder Card would be the 
same as for stand-alone players except that there is amAtional step prior to actual 
descrambling. Here, DVD-ROM drive and DVD A^^ Decoder Card query each 
other in a bi-directional "dialogue" to verify that b^ff^thorized to send and receive the 
keys and scrambled data. If the query succe^^^^d^ is authorized, the keys are 

encrypted and transmitted from the dri\^ the a^sgpLnble/decoder. 


Mechanisms J 

DVD Content Scramble S}^^^OTstructed by the following mechanisms : 

(a) Encryption of ^ 

This rneeh^im^ contained in Disc Key Protection Module, and encrypts Disc 

Key by Keys. 

(b) Decryption of Disc Key 

This mechanism is contained in Descrambler Module at DVD Video Player and 
Decoder Card, and decrypts Disc Key by Master Key. 

(c) Encryption of Title Key 

This mechanism is contained in Title Key Encryption Module, and encrypts Title 
Key by Disc Key. 

(d) Decryption of Tide Key / 

This mechanism is contained in Descrambler Module at DVD Video Player and 

Decoder Card, and decrypts Title Key by Disc Key. 

(e) Scrambling of AV Data 

This mechanism is contained in Scrambler Module at Disc Formatter, and 
scrambles AV Data by Title Key. 

(f) Descrambling of AV Data 

This mechanism is contained in Descrambler at DVD Video Player and Decoder 
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Card, and descrambles AV Data by Title Key. 

Cel Authentication Mechanism a 

TOs mechanism is contained in Authenticalor Modnle at DVD-ROM I^e and 

Decoder Card, and authenticates DVD-ROM Drive and Decoder Card via PC buses 
in PC system 


bject Set (VOBS). 
decides freely whether the title of AV 


2.2 Architecture of "Content Publishing System" 

"Content Publishing System" includes Content Provider. Authoring Studio and Disc 

Formatter. , 

"Content Publishing System" generates AV contents and scrambles them if necessary, and 

publishes them as DVD Disc. 

The process of "Content Publishing System" is as follo^ 

(1) Generation of AV Data < 

- Content Provider generates AV Data as 

- Copyright Owner (possibly Contenv'^^vw© 

Data shall be scrambled or 

( 2 ) Title Key and Disc Key „ , 

- When Copyright Owi^^^ scramble the title. Copyright Owner shall select 

the 'Title Key" on<^^We Set (VTS) by VTS basis. 

- When a DVD^sc^^ne or more scrambled VTS, Copyright Administrator 

(Movip^C^^ or other entity) selects 'Disc Key" on a Side by Side basis. 

- Disc Iv^^^eTto Disc Key Protection Module. Title Key Set is set to Title Key 

Encryptiohmodule. 

(3) Encryption of Disc Key 

- Disc Key Protection Module encrypts Disc Key using predetermined "Master Keys 

of all descrambler chip manufacturers and generates "Secured Disc Key data" . 

- The encryption algorithm is denoted as EncDK. 

- Secured Disc Key data is recorded in Lead-in area of Disc. 

(4) Encryption of Title Key 

- Tide Key Encryption Module encrypts each Tide Key of Tide Key Set using above 

Disc Key. 

- The encryption algorithm is denoted as EncTK. 

- Encrypted Tide Key is recorded in the Copyright Management Information field of 

all sectors of a scrambled file. 

(5) Authentication Control Code 

- "Authentication Control Code" shad be decided for each side of disk, which can 
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Bus-Encryption/Decryption by BK is as follows : 

(1) On Disc Inserted, DVD-ROM Drive encrypts Secured Disc Key data by using BK and 
sends them to Decoder Card. Decoder Card descrambles them by using BK, and gets 

the Secured Disc Key data. 

(2) Before a playback of VTS, DVD-ROM Drive encrypts Encrypted Tide Key by using 
BK, and sends them to Decoder Card with Scrambled AV Data. Decoder Card decrypts 
Bus-Encrypted Encrypted Tide Key by using BK, and gets Encrypted Tide Key and 
scrambled AV Data. After that, process continues to step (1) in 2.4 

If the mutual authendcation process is successful. Scrambled AV Data on DVD-ROM Dnve 
is sent to Decoder Card. 


To sum up, Fig.4 shows the Architecture of 'DVD Video Playback system on PC". 



Fis.4 Architecture of 'DVD Video Playback system on PC 


3. Nominative References 


1) DVD Specificadons for Read-Only Disc (Version 1.0) ; August 1996 

2) ISO/IEC 13818; 1994 

Informadon Technology-generic coding of moving pictures and associated audio. 
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1. General 
1.1 Scope 

This part defines specification of DVD Content Scramble System for Authenticator on Decoder 
Card. 

This part defines functions and algorithms in Authenticator. And these are used for 
Bus-Authentication and Bus-Decryption mechanism. 


- Objectives of Bus- Authentication and Bus-Decryption are as follows : 

- Bus- Authentication 

To prevent digital-to-digital copy on personal computer environment. 

- Bus-Decryption 

To prevent the illegal-replacement after the mutual authentication. 




To realize these objectives Decoder Card has the folloi^^^Jp^anisms : 

- Authentication mechanism : to deterriiine th^pD^O^r Card is authentic and to let 

Decoder Card determin^^^ Drive is 'authentic'. 

- Key sharing mechanism : to share ^^^me v^i^e key used for Bus-Decryption. 

- Bus-Decryption mechanism Bus-Encrypted Secured Disc Key data and 

Bus-Encrxs4^^^iyiWted Title Key using by the shared time variable 
key. 

In addition to these^^aniM, Decoder Card has Descrambler mechanism. 

Fig.l shows thChwW^We of Decoder Card. 
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may be changed by using Authentication Control Code. 

1 .2 General Specifications 

Table 1 shows the general specifications for Authenticator on Decoder Card. 

Table 1 . General Specifications for Authenticator on Decoder Card 


Random number 
Generation 

[Output] Drv_Chal (80 bits) : Authenticator_on_Decoder's 
Challenge data for Drive authentication 

Drv__Auth 

[Input] Authentication Control Code (5 bits) 

[Output] Drv_Ref (40 bits) : Authenticator_on_Decoder's 
Reference data for Drive authentication 

Dec_Auth 


Key_Share 


Bus-Deem^ J 

<Or^^e^serted> 

^Input] Bus-Encrypted Secured Disc Key data (2048 bytes) 
.^[Output] Connect to Descrambler without appearing outside 
<Before a playback of VTS> 

[Input] Bus-Encrypted Encrypted Title Key (40 bits) 
[Output] Connect to Descrambler without appearing outside 


1.3 Terminologies and Notation (T.B.D) 

- Vector assignment : 

For example, the equation 

ia(39)...ia(0) = ib(39)...ib(0) © ic(39)., 
means the following equations are satisfied : 
ia(39) = ib(39) © ic(39) 
ia(38) = ib(38) © ic(38) 


.ic(0) 


ia(0) = ib(0) © ic(0). 

Note that each ia(i), ib(i) and ic(i) for i=39-0 means a bit. 
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3.2 Authentication Key 

Every Authenticator has a universal (common) 40 bits Authentication Key. 

All oneway functions (Drv_Auth, Dec_Auth and Key_Share) include the Authentication 
Key, and we omit to write it for each function. 

3.3 Authentication Control Code 

5 bits Authentication Control Code denoted as "ACC" selects which oneway functions 
of 32 functions for each Drv_Auth(ACC, j)/Dec_Auth(ACC, j)/Key_Share (ACC, j) 
(ACC=0-31, j is 80 bits data) is used. 


3.4 Process of Drv_Auth 

Drv__Auth calculates the 40 bits reference data "Drv_Ref using the 80 bits random 
number stored internally "Drv_Chal". 

3.5 Process of Dec__Auth 

Dec_Auth calculates the 40 bits response data "D^^^s'^ing a 80 bits challenge data 
from Decoder Card denoted as "Dec Chal". 


3.6 Process of Key_Share 

Key__Share calculates a time/V^a^^ BK using the data stored internally after 
mutual authentication usingCbv\r>™ Auth and Dec Auth. 


3.7 Process of Bus-DeofvptX ^ 

On Disc insetiS^>;Au^nticato^ in Decoder Card decrypts Bus-Encrypted Secured Disc 
Key data (2M^s^es) from DVD-ROM Drive, using shared BK. 

Before a playback of VTS, Authenticator in Decoder Card decrypts Bus-Encrypted 
Encrypted Title Key data (40 bits) from DVD-ROM Drive, using shared BK. 

4. Algorithm 

4.1 Random number Generation 

We do not define the structure of Random number Generation. 

We only define the conditions of Random number Generation as follows : 

- It may be generated by a real random number generator. 

- If it is implemented by pseudo-random number generator, its linear complexity 
shall be over 41. 

4.2 DVD-ROM Drive Authentication algorithm — Drv_Auth 
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Fie.2 The structure of Drv Au 


Next we define Drv_Byte_Perm, Drv_Bit_Perm, Aul 
detail. 



lerandAuth Substitutor in 


[Drv_Byte_Perm] 

Drv_Byte_Perm permutates 80 (of which each bit is represented as 

CD(79)...CD(0)) to 80 bits Pec^^^ee^D (of which each bit is represented as 
pcd(79)...pcd(0)). The relationX^tween input and output is as follows : 
pcd(79)...pcd(7^^^7 1 )...CD(64) 
pcd(71)...p<S^Ki{39)...CD(32) 
pcd(63)...pcd^^;^CD(55)...CD(48) 
pcd(55)...pcd(48)=CD(79)...CD(72) 
pcd(47)...pcd(40)=CD(23)...CD(16) 
pcd(39)...pcd(32)=CD(47)...CD(40) 
pcd(3 1 )...pcd(24)=CD(63)...CD(56) 
pcd(23)...pcd(16)=CD(7)...CD(0) 
pcd( 1 5)...pcd(8)=CD(3 1 )...CD(24) 
pcd(7)...pcd(0)=CD(15)...CD(8) 


[Drv_Bit_Perm] 

Drv_Bit_Perm permutates 5 bits input of Authentication Control Code (of which each bit is 
represented as acc(4)...acc(0)) to 5 bits Permutated ACC (of which each bit is represented as 
pacc(4)...pacc(0)). The relation between input bit and output bit is as follows : 
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- Initialization of carry 

Carry is initialized to "0". 


The output bit sequence of Auth_Scheduler is iak(n,7)...iak(n,0) for n 29-0. 

Note that iak(29,7) is generated first, iak(29,6)...iak(29,0) is next, and so on. And the 

last one is iak(0,0). 

Fig.3 shows the structure of Auth_Scheduler. 
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[Auth_Substitutor] 

Auth_Substitutor has Permutated CD (that is denoted as pcd(39)...pcd(0)) and Permutated 
ACC (that is denoted as pacc(4)...pacc(0)) and Intermediate Authentication Key (that is 
denoted as iak(n,7)...iak(n,0) for n=29-0) as input, and outputs Response Data (that is 

denoted as RD(39)...RD(0) ). 

The Auth_Substitutor algorithm is as follows using by Auth_Sbox explained later : 

Note that pacc(4)...pacc(0) enters into each Auth_Sbox, but it is omitted in below 
not to be complicated. 

<lst round> 

tempi (39). .. tempi (32)=Auth_Sbox(iak(29, 7). ..iak(29,0), pcd(39)...pcd(32)) 
templ(31)...templ(24)=Auth_Sbox(iak(28,7)...iak(28,0), pcd(31)...pcd(24)) 

© pcd(39)...pcd(32) 

temp 1 (23) . . . temp 1(1 6)= Auth_Sbox(iak(27 ,7) .. .iak(27 ,0) , pcd(23) . . .pcd( 16)) 

©pcd(31)...pcd(24) 

temp l(15)...temp 1(8)= Auth_Sbox(iak(26,7^^^^^^^2'p^), pcd(15)...pcd(8)) 

© pcd(23)...pcd(16) 

temp 1(7).. .temp 1 (0)= Auth_Sbox(i^ :^^ak(25 ,0) ,pcd(7)...pcd(0)) 

© pcd(15)^cd(i 




<2nd round> 

temp2(39)...temp^(^^^^rtK^Sbox(iak(24,7)...iak(24,0), 

tem^(39)...ternpl(32) © templ(7)...templ(0)) 
temp2f;3p^v^^tTi^(24)=Auth_Sbox(iak(23,7)...iak(23,0), 

temp 1 (3 1 ) .. .temp 1 (24)) 

© templ(39)...templ(32) © tempi (7)...templ(0) 

temp2(23)...temp2(16)=Auth_Sbox(iak(22,7),iak(22,0),templ(23)...templ(16)) 

© templ(31)...templ(24) 

temp2( 15).. .temp2(8)= Auth_Sbox(iak(2 1,7).. .iak(2 1,0), temp 1 ( 1 5) . ..temp 1(8)) 

© templ(23)...templ(16) 

temp2(7)...temp2(0)=Auth_Sbox(iak(20,7)...iak(20,0), temp l(7)...temp 1(0)) 

© templ(15)...templ(8) 


<3rd round> 
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temp2(39)...temp2(32)©temp2(7)...temp2(0)) ) 
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© temp5(31)...temp5(24) 

RD(15)...RD(8)=Auth_Sbox(iak(l,7)...iak(l,0), temp5(15)...temp5(8)) 

© temp5(23)...temp5(l6) 

RD(7)...RD(0)=Auth_Sbox(iak(0,7)...iak(0,0), temp5(7)...temp5(0)) 

© temp5(15)...temp5(8) 


Fig. 4 shows the structure of Auth_Substitutor. 


< 
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[Auth_Sbox] 

Auth_Sbox is used 5 times for each round in Auth_Substitutor. 

We explain Auth_Sbox algorithm in case that mput(jx8+7)...input(jx8) , iak(n,0)...iak(n,7) 
and pacc(4)...pacc(0) are input and output(jx8+7)...output(jx8) is output for j=4-0. 


The Auth_Sbox algorithm is as follows : 

(1) The input(ix8+7)...input(jx8) is EORed with iak(n,0)...iak(n,7). 

(2) The output of (1) is transformed by Pre-Table. Pre-Table has 8-bits address and 
8-bits output, so the memory size of Pre-Table is 256 bytes amount. The content of 
Pre-Table is shown in Annex-B. 

(3) The 7th,5th,4th,2nd and 0th bit of output of (2) are EORed with 
pace (4) . . .pacc(0) , respectively . 

(4) The output of (3) is transformed by Post-Table. Post-Table has 8-bits address and 



[T-box] 

T-box is a oneway transformation with 8 bits input (IN(0),IN(1),...,IN(7) ) and 8 bits 
output (OUT(0),OUT(1 ),..., OUT(7) ). 

T-box algorithm is as follows : 

OUT(0)=IN(0) © IN(1) ; "©" means EOR 
OUT(l)=IN(l) © IN(2) 

OUT(2)=IN(2) © IN(3) 
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To sum up, Fig.6 shows the structure of Dec_Auth. 


Authentication Key (40bit) 
,,ak(39)...ak(0) 


pcd(79)...pcd(40) 


Effective Authentication Key 
eak(39)...eak(0) | 


Dec_Chal 


CD(79)...CD(0) 


Authentication Contorol 

Code 

acx(4)...acc(0) 


Dec_Byte_Perm — Permutated CD 



Dec Bit Perm 


pcd(39)...pcxj(0) 


Permutated Acc 
pacc(4)...pacc(0) 


Auth Scheduler 


g L Intermediate Authentication Key 

1 iak(n,7)...iak(n,0) (n«29-0) 


Auth Substitutor 


Dec_Res 

RD(39)...RD(0) 


>ec_Res = Dec_Auth(Acc,Dec 




Fie.6 The struci 


fed )Auth 


Next we define Dec_Byte_Perm, Dec_ 
in Drv_Auth explained in 4.2. Cc 


erm. Note that the other parts are the same as ones 


[Dec_Byte_Perm] 

Dec_Byte_Perm pecfMmm 80 bits Drv_Chal ( denoted as CD(79)...CD(0)) to 80 bits 
Permutated CD*^<renatea^pcd(79)..^ The relation between input and output is as 

follows : 

pcd(79)...pcd(72)=CD(23).,.CD(16) 

pcd(71)...pcd(64)=CD(7)...CD(0) 

pcd(63)...pcd(56)=CD(39)...CD(32) 

pcd(55)...pcd(48)=CD(63)...CD(56) 

pcd(47)...pcd(40)=CD(47)...CD(40) 

pcd(39)...pcd(32)=CD(71)...CD(64) 

pcd(31)...pcd(24)=CD(31)...CD(24) 

< 

pcd(23)...pcd(16)=CD(79)...CD(72) 
pcd(l 5)...pcd(8)=CD( 1 5)...CD(8) 
pcd(7)...pcd(0)=CD(55)...CD(48) 


[Dec_Bit_Perm] 
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Permutated ACC (pacc(4)..$acc(0)) and Intermediate Authentication Key 
(iak(n,7)...iak(n,0) for n=29-0 ) . This part is the same as one in Drv_Auth. 

To sum up, Fig.7 shows the sttucture of Key_Share. 


Concatenated Response Data 


CRD(79)...CRD(0) 


Authentication Contorol 
Code 

acc(4)...acc(0) 


Authentication Key (40bit) 


pcd(79)..43Cd(40) 


Key_Byte_Perm — ^Permutated CD 


Key_Bit_Penn 


pcd(39)...pcd(0) 


Permutated Acc 
pacc(4)...pacc(0) 

‘Bk-Key__Share(Acc.( 


ak(39)...^(0) 


I 


Effective Authentication Key 
eak(39)...eak(0) I 


Auth Scheduler 


Intermediate Authentication Key 
iak(n,7)...iak(n,0) (n«29-C) 


Auth vSubstitutor 


Bus Key 
bk(39)..i)k(0) 


Fig.7 The struct 


Share 


Next we define Key_Byte_Perm, Key=;^i{^rm. Note that the other parts are the same as 
ones in Drv_Auth explained in 

[Key_Byte_Perm] ^ 

Key3yte_Pernipcm\uta^^ 80 bits Concatenated Response Data ( CRD(79)...CRD(0)) to 
80 bits Permutate^^C^(pcd(79)...pcd(0)). The relation between input and output is as 
follows : ^ 

pcd(79)...pcd(72)=CRD(79)...CRD(72) 

pcd(71)...pcd(64)=CRD(15)...CRD(8) 

pcd(63)...pcd(56)=CRD(55)...CRD(48) 

pcd(55)...pcd(48)=CRD(71)...CRD(64) 

pcd(47)...pcd(40)=CRD(23)...CRD(16) 

pcd(39)...pcd(32)=CRD(63)...CRD(56) 

pcd(3 1 )...pcd(24)=CRD(47)...CRD(40) 

pcd(23)...pcd(16)=CRD(31)...CRD(24) 

pcd(15)...pcd(8)=CRD(7)...CRD(0) 

pcd(7)...pcd(0)=CRD(39)...CRD(32) 


[Key_Bit_Perm] 
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Table2. Byte/Bit Order of Bus-Encrypted Secured Disc Key data 



BlockO 


Blockl 


Block408 


Block409 


1 ! 0 


0 i bcbd(39) 


1 


bcbd(O) 


5 ; bcbcl(39) 


8 


bebd(O) 


2040 ' bebd(39) 


2041 


2042 


2043 ; 




ing order to realize Bus-Authentication and 


5. Usage of algorithm 

Five algorithms are use( 

Bus-Decryption : 

(1) Random nurrfbSXJeneration 

(2) Drv_Au^" 

(3) Dec_Aum\^ or (3) algorithm uses the result of (1) as input. 

(4) Key_Share : This algorithm uses the result of (2)(3) as input. 

(5) Bus-Decrypt: This algorithm uses the result of (4) as input. 


And the software controlling the authentication scheme using these algorithms shall be 
implemented in such a way general user other than authorized person who gains detain and 
confidential information of Content Scramble System can not reveal it. 

Next we explain the usage of algorithms on DVD-ROM Drive in detail. 

[ Drive authentication ] 

Decoder Card authenticates DVD-ROM Drive as follows : 

(1) Decoder Card generates 80 bits random number Drv_Chal, and sends it to 

DVD-ROM Drive. 
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To sum up, Fig.8 shows the Bus-Authentication/Decryption scheme of Decoder Card 
on Disc inserted, and Fig.9 shows the scheme before a playback of VTS. 


,-DVD-ROM Drive 


(1) Drv_Chal 


(2) Drv__Res 


(4) Dec__Chal 


(5) Dec_Res 


is-^ncrypted 
Key data 

SK 


Decoder Card 

Secret Oneway Functions: 

Drv_Auth(i,j), Dec_Auth(i,j), Key_Share(i,j) 
i=0— 31, j: 80bit data 

[ Drive authentication] 

(1) Generate 80 bit random number Drv_Chal 

(time variable) 

(3) fori=31--0 

Calculate Vi=Drv_Auth(i, Drv_Chal) 

Find the first ? such that Drv_Res=Vi. 

And set Acc=i and Drv_Ref=Vi. 

If NOT FOUND, abort Authentication process. 


[D 

(5) Dec_Res^ 


(6) Cal 



d^nyauthentication] 
^Xb^(Acc, DecjChal) 

,Succ(Drv_Ref, Dec_Res) 


\^0 Jt Sharing a time variable Key] 

(7) SeTa time variable Bus Key 
\ BK=KeyjShare(Acc, Dec_Succ) 


[ Bus-Decryption] 

(9) SDK = Bus-Decrypt(BK, SK) 

SDK : Secured Disc Key data 


Fig.8. Bus-Authentication/Decryption scheme on Disc inserted 
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6. Implementation requirements 

- Five algorithms (Random number Generation, Drv__Auth, Dec^Auth, Key_Share, 
Bus-Decrypt), Authentication Key, replaced ACC, Effective Authentication Key, and 
Intermediate Authentication Key shall be implemented in such a way general user other 
than authorized person who gains detail and confidential information of Content Scramble 
System can not reveal and/or modify them. 

- Random number Generator should be a real random number generator or a Pseudo-random 
number generator whose linear complexity is over 41 . 

- The input of Drv_Auth in Authenticator of Decoder Card shall not be controlled from 
outside. 

- The input of Key^Share in Authenticator shall not be controlled from outside. 

- Any information except Input and Output of Authenticator on DVD-ROM Drive shall not be 

informed to users of Authenticator LSI. 

- Switching to test mode shall not be done easily by the general user. 

- The time variable Bus Key shall be concealed in such a ^^a^\jiat general user other than the 

authorized person can not reveal it. 

- Different Bus Key shall be used in each E 
Key data and Bus-Encrypted Encrypted Ti 
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(a) Single Layer type 

(b) Dual Layer type with Parallel Track Path 

(c) Dual Layer type with Opposite Track Path 

Each physical volume shall contain one Data Area and one or two Lead-in Area which 
shall have 192 Control Data Blocks. And, each Control Data Block shall consist of a 
Physical format information sector, a Disc manufacturing information sector and 14 
Content provider information sectors. A physical sector shall have 2048 bytes of Main 
Data field and 6 bytes of Copyright Management Information field as a part of sector 
header which is described as CPR_MAI field in DVD Specifications. 

The Copyright Management Information of this scheme shall consist of "Scramble Flag 
which is described as CP_SEC flag in DVD Specifications, "Encrypted Title Key" and 

’’Authentication Control Code”. 

In the Lead-in Area, "Secured Disc Key data (204^^^^^hall be recorded in the Main 
Data field of each first Content Provider infovfn^mh^ctor, which has a relative sector 
number 2. And "Authentication Control recorded in the CPR_MAI field of 

all Content Provider information sectors, w^ic^as a relative sector number from 2 to 15. 

In the Data Area, both "Scram^^^^ield and "Encrypted Title Key (40 bits)" field are 
defined in the Copyrighti(Ki^^®Mrtent Information field of each sector. When a file is 
scrambled, the identic^Thb^ted Title Key" shall be recorded in the CPR_MAI field of 
all sectors of a,,seE^^^l^^ file. And, "Scramble Flag" shall be set to ONE in the Copyright 
Management r^raktion field of all scrambled sectors. In case of non-scrambled sector, 
"Scramble Flag^M be set to ZERO. When a file is not scrambled, "Scramble Flag" 
shall be set to ZERO and 'Encrypted Title Key" field shall be reserved and set to ZERO in 

all sector of a file. 

As for Navigation pack sectors, they shall belong to non-scrambled sectors. 

An example of this data structure is shown in Fig. 2 for illustrative purposes only. 
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2.3.2 Data Structure in File System 

A single volume space shall be defined on Data Area of each physical format. Both UDF 
file structure and ISO 9660 file structure shall be recorded on this volume space, and shall 
have the Copyright Management Information in the Implementation Use Extended 
Attribute of the File Entry for each file and in the System Use field of the Directory 
Record for each file respectively. The Copyright Management Information of these field 
shall contain CGMS Information, Data Structure Type and Protection System 
Information. 


The CGMS Information shall have "Copyrighted Material" flag and CGMS code. When 
"Copyrighted Material" flag is set to ONE, the file contains Copyrighted Material 
including Audio and Video Object data and CGMS co4e^the file shall be interpreted as a 
2 bits unsigned binary number as follows; 

11b; No copying is permitted ((\^^ 

10b: One generation copies may 

01b: Condition is not used 

00b: Copying is perrnitteji-^^^^ restrictions 

Protection System Type *^fe^^^^^lterpreted as an 8 bits unsigned binary number as 
follows; , V 


0: This 
l:Thi^ 


npjscrambled sector 


1 : This^H^as one or more scrambled sectors that are processed according to this 
specifickuon. 

AU other values are reserved for future standardization. 


2.3.3 Data Structure in Packed Data 


A DVD-VIDEO object set file shall consist of Navigation pack sectors. Video pack 
sectors, and optional Audio pack sectors, and Sub-picture pack sectors. When a file is 
scrambled, sectors of which 'PES_Scrambling_control" is set to 01b may be scrambled on a 
sector by sector basis. Note that Navigation pack sector shall not be scrambled. The Main 
Data field except for the leading 128 bytes shall be scrambled in a scrambled sector. 

"PES_scrambling_control" field in the packet header, which is defined in ISO/IEC 
13818-1, is used to discriminate a "Scrambled sector" from a Non-scrambled sector" by PC 
software. In this specification, the value of this field is defined as follows; 
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Leadnn Area 



CPR MAI field 


Authentication 
Control Code 


Main Data field 

Secured 
Disc Key — 
data 


Master Ke\ 


DecDK 


Disc Key 
Recovery module 


Data Area 


CPR_MAI field 

Encrypted Title 
Key 


Main Data field 


Scrambled AV Data 


DVD Disc 


Fig. 3 Architecture of " 


DecTK 


DscAV 


•Descrambler- 


Audio A^ideo 
Decompression 


DVD Video Player 


.O 


’layer System" 


AN Data 


2.5 Architecture of "DVD Video Playt^a^ystem on PC" 

On PC system, it is necessaw to^^beii^the 'Dus- Authentication and Bus-Encryption 
between DVD-ROM DriyeanaSb^^^ Card" before descrambling the content. 


The mutual Bus AumSiti^tion scheme between DVD-ROM Driye and Decoder Card is as 
follows: 

(1) Decoder C^^cts as "Verifier" and DVD-ROM Drive acts as "Proyer". Verifier 
generates a random number, and sends it to another side as Challenge data. 

(2) Proyer calculates Response data using Authentication Control Code and secret oneway 
function, and returns it. 

(3) Verifier receiyes Response data, and checks its yalidity. If the yalidity is not proyen, 
the authentication process is aborted. 

(4) Steps (1 )-(3) repeat by changing the roles of Decoder Card and DVD-ROM Driye. 

t 

(Note)There are the plural oneway functions for calculating Response data. The Security 

Management Agent selects a oneway function. The information to select a function, called 

’’Authentication Control Code”, is stored in Lead-in area of Disc. 


As the result of the successful mutual authentication scheme, both sides generate the same 
time-variable key (it is denoted by Bus Key or simply 'BK'). 
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Bus-Encrypted 
Secured Disc Key data 


Bus-Encrypted 
Encrypted Title Key 


Scrambled AV data 


DVD-ROM Drive 


PC Digital l/F 


Authentication 

Mechanism 


Key Sharing 
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Bus- 
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Bus - 
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Authenticator on 
Decoder Card 


Master Key 


DecDK 


DISC KEY 
Recovery module 


DecTK 


DscAV 


•Descrambler* 


AudioA/ideo 

Decompression 


AA/ Data 


Decoc 


O. 


Fig.l. Archk^^re oF^coder Card 


- Functions and algorithms in 

- Random number GenerahOT>^enerate a random challenge data 

- Drv__Auth : One^^a>^ for E>rive authentication, which is Decoder Card's act of 

the validity of DVD-ROM Drive. 

- Dec_Auth : O^^ay function for Decoder authentication, which is DVD-ROM Drive's 

act of authenticating the validity of Decoder Card. 

- Key_Share : Oneway function for key sharing between DVD-ROM Drive and Decoder 

Card 

- Bus-Decrypt : Bus-Encrypted Secured Disc Key data and Bus-Encrypted Encrypted Title 

Key are decrypted by the shared key. 


- Drv__Auth, Dec_Auth and Key_Share 

- Using oneway function 

By using secret oneway function, it is practically impossible to guess 
Authentication Key and its algorithm from its input and output of Authenticator. 
Each oneway function has oneway operation T-box. 

- 32 types of triplet for each Drv_Auth/Dec_Auth/Key_Share (k=0-31) 

To keep the security high, the oneway functions used in Authentication process 
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And © means "Exclusive OR" operation. 


2. Input/Output 

We define the input and output of five algorithms in Authenticator on Decoder Card. 

Note that there are several internal input to the algorithm. All inputs and outputs without 

(internal) marks are external. 


Random number Generation ' 

[Output] Drv_Chal (80 bits) : Authenticator_on_Decoder’s Challenge data for Drive 
authentication. 

Drv_Auth 

[Input] Authentication Control Code (5 bits) 

[Output] Drv_Ref (40 bits) : Authenticator_on_Decoder*s Reference data for Drive 
authentication. 

[Input(Intemal)] Drv_Chal made by Random ni^^r Generator 
Dec_Auth 

[Input] Dec_Chal (80 bits) : Authenticf(] 0 !s )rive's Challenge data for Decoder 
authentication. 

[Input] Authentication Contro[^ode^j^§^^lts) 

[Output] Dec_Res (40 bit^^ Authenticator_on_Decoder's Response data for 
Decoder aut non. 




Key_Share 

[Input] Authenfiqatioif^ontrol Code (5 bits) 

[Iriput(Internk[m (80 bits), which is a concatenation of internally stored 

Drv_Ref (40 bits) and internally stored Dec_Res (40 bits) 
[Output(Kt^al)] Bus Key (40 bits) shall be used to Bus-Decryption directly. 
Bus-Decrypt 

<On Disc lnserted> 

[Input] Bus-Encrypted Secured Disc Key data by BK (2048 bytes) 

[Output] Connect to Descrambler without appearing outside 
<Before a playback of VTS> 

[Input] Bus-Encrypted Encrypted Title Key (40 bits) 

[Output] Connect to Descrambler without appearing outside 


3. Process 

3.1 Process of Random number Generation 

Random number Generation generates 80 bits random number to be used for a 
challenge to another side. 
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DVD-ROM Drive Authentication algorithm "Drv_Auth" is used to calculate Reference Data 
"Drv_Ref ' from Challenge Data "Drv_Chal". 

Drv_Auth has 5 bits Authentication Control Code "ACC" and 80 bits Drv_Chal as input, 
and 40 bits Drv_Ref as output Each bit of ACC is denoted as acc(4)...acc(0), each bit of 
Drv_Chal is CD(79)...CD(0), and each bit of Drv_Ref is RD(39)...RD(0). 

Drv_Auth consists of the following parts : 

- Drv_Byte_Perm 

Each byte of 80 bits Drv_Chal is permutated to Permuted CD. 

Each bit of Drv.Chal is denoted as CD(79)...CD(0), and each bit of Permutated CD 

is denoted as pcd(79)...pcd(0). 

- Drv'_Bit_Perm 

Each bit of 5 bits ACC is permutated to Permutated ACC. 

Each bit of ACC is denoted as acc(4)...acc(0), an^^h bit of Permutated ACC is 

denoted as pacc(4)...pacc(0). 

- Authentication Key 

Authentication Key ak(39)...ak(0) is 4^KS^th, and it is embedded in Drv_Auth 
algorithm. Authentication Key i^how^^m^Annex-A. 

-EOR 

Authentication Key is The result is called Effective 

Authentication Key ^^^^^■asxak(39)...eak(0). 

- Auth_Scheduler^^i;x v 

It is initializeflW^^ective Authentication Key eak(39)...eak(0), and outputs every 8 
bits Interm^me Authentication Key which is denoted as iak(n,7)...iak(n,0) for each 
n=29-0. Thmotal 30 bytes Intermediate Authentication Key is generated. 

- Auth_Substitutor 

It calculates Drv_Ref (RD(39)...RD(0)) using Permutated CD (pcd(39)...pcd(0)) , 
Permutated ACC (pacc(4)...pacc(0)) and Intermediate Authentication Key 
(iak(n,7)...iak(n,0) for n=29-0 ) . 


To sum up, Fig.2 shows the structure of Drv_Auth. 
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pacc(4)=acc(4) 

pacc(3)=acc(3) 

pacc(2)=acc(2) 

pacc(l)=acc(l) 

pacc(0)=acc(0) 


(Note) Drv_Bit_Perm operates nothing actually, but we dare to define in order to contrast 
this Drv_Bit_Perm with Dec_Bit_Penn in "Dec_Auth "and Key_Bit_Perm in "Key_Share". 


jr • 





er_LFSR) 




[Auth_Scheduler] 

Auth_Scheduler prepares every 8 bits Intermediate Authentication Key for n=29-0 using 40 
bits Effective Authentication Key 'eak'. Auth_Scheduler is initialized by 40 bits 
eak(39)...eak(0) and outputs every 8 bits iak(n,7)...iak(n,0) for n=29-0 by operating 30x8 

times. 

Auth_Scheduler consists of the following parts : 

- Linear Feedback Shift Register of 1 7 degree ( 

The polynomial of the Upper_LFSR is 

- Linear Feedback Shift Register of 25 

The polynomial of the Lowei^FS 

- LSW=1 

Reversing the output./5f(Lov>^J^SR 

- USW=1 

itput^ Lfpper_LFSR 
any 

ind feedbacked carry bit are full-added, 
it of the result is a bit of Intermediate Authentication Key, and the 

upper bit is stored to D-flip flop (DFF) for the next bit addition. 

Auth.Scheduler is initialized by 40 bits Effective Authentication Key eak(39)...eak(0) as 
follows : 

- initialize of Upper_LFSR 
Bit 8 is preset to "1". 

eak(31)...eak(24) are set to Bitl6...Bit9, and eak(39)...eak(32) are set to 
Bit7...BitO. 

- Initialization of Lower_LFSR 
Bit 3 is preset to "1". 

eak(7)...eak(0) are set to Bit24...Bitl7 and eak(15)...eak(8) are set to Bitl6...Bit9 
and eak(23)...eak(19) are set to Bit8...Bit4 and eak(18)...eak(16) are set to 

Bit2...BitO. 


Reversing 
- 1 bit Full 
Two 

The lowe' 
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etemp2(39)...temp2(32)©temp2(7)...temp2(0)) 

temp3(23)...temp3(16)=T(Auth_Sbox(iak(17,7)...iak(17,0), 

temp2(23)...temp2(l6)) © temp2(31)...temp2(24)) 

temp3(15)...temp3(8)=T(Auth_Sbox(iak(l6,7)...iak(16,0), 

temp2(15)...temp2(8)) © terap2(23)...temp2(16)) 

temp3(7)...temp3(0)=T(Auth_Sbox(iak(15,7)...iak(15,0),temp2(7)...temp2(0)) 

© temp2(15)...temp2(8)) 


<4th round> 

temp4(39)...temp4<32)=T(Auth_Sbox(iak(14,7)...iak(14,0), 

temp3(39)...temp3(32)©temp3(7)...temp3(0)) ) 

temp4(31)...temp4(24)=T(Auth_Sbox(iak(13,7)...iak(13,0), 

temp3(3 1 ) . ..temp3 (24)) 

© temp3(39)...temp3(32)®teinp3(7)...temp3(0)) 

temp4(23) . . .temp4( 1 6)=T( Auth_Sbox(iak( 1 2^^ak( 1 2,0) , 

temp3(23)...temp3( 1 6))<^^f%3 1 )-temp3(24)) 

temp4(15)...temp4(8)=T(Auth_Sbox(r^^N%i^-iak(ll,0), 

temp3(15)...ten(p§(8)|^^l^)temp3(23)...teinp3(16)) 

temp4(7)...temp4(0)=T(Aut^Sboy^l0,7)...iak(10,0),temp3(7)...temp3(0)) 

© temp^l^..temp3(8)) 

<5th round> 

temp5(39)^.^tcHTO5(S^uth_Sbox(iak(9,7)...iak(9,0),temp4(39)...temp4(32) 

©temp4(7)...temp4(0)) 

temp^&&iip5(24)=Auth_S 

© temp4(39)...temp4(32)®temp4(7)...temp4(0) 
temp5(23)...tcmp5(16)=Auth_Sbox(iak(7,7)...iak(7,0), temp4(23)...temp4(16)) 

© temp4(31)...temp4(24) 

temp5(15)...temp5(8)=Auth_Sbox(iak(6,7)...iak(6,0), temp4(15)...temp4<8)) 

© temp4(23)...temp4(16) 

temp5(7)...temp5(0)=Auth_Sbox(iak(5,7)...iak(5,0), temp4(7)...temp4(0)) 

© temp4(15)...temp4(8) 


DO NOT COPY 


<6th round> 

RD(39)...RD(32)=Auth_Sbox(iak(4,7)...iak(4,0), temp5(39)...temp5(32) 


©temp5(7)...temp5(0)) 

RD(31)...RD(24)=Auth_Sbox(iak(3,7)...iak(3,0), temp5(31)...temp5(24)) 

©temp5(39)...temp5(32)©temp'5(7)...temp5(0) 
RD(23)...RD(16)=Auth_Sbox(iak(2,7)...iak(2,0), temp5(23)...temp5(16)) 
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OUT(3)=IN(3) © 1N(4) 
OUT(4)=IN(4) © IN(5) 
OUT(5)=IN(5) © IN(6) 
OUT(6)=IN(6) © IN(7) 
OUT(7)=IN(7) © IN(0) 


4.3 Decoder Card Authentication algorithm — Dec_Auth 

Decoder Card Authentication algorithm ’Dec_Auth" is used to calculate Response Data 

'Dec_Res" from Challenge Data 'Dec_Chal". 


Dec_Auth has 5 bits Authentication Control Code "ACC", 80 bits Dec_Chal as input, and 
40 bits Dec_Res as output. Each bit of ACC is denoted as acc(4)...acc(0), each bit of 
Dec_Chal is CD(79)...CD(0), each bit of Dec_Res is RD(39)...RD(0). 


Dec_Auth consists of following parts : 

- Dec_Bytes_Perm 

Each byte of 80 bits Dec_Chal is permu 
Each bit of Dec_Chal is denoted as 
is denoted as pcd(79)...pcd(0h 

- Dec_Bit_Perm 

Each bit of 5 bits ACC^ 

Each bit of ACC is 


denoted as p; 
- Authenticati( 




pnutated CD. 

(6), and each bit of Permutated CD 


^d to Permutated ACC. 

^cc(4)...acc(0), and each bit of Permutated ACC is 


|...p^(0). 


A Secre 

one in Drv^uth. 
-EOR 


nti^tion Key ak(39)...ak(0) is 40 bits length, and it is the same as 


Authentication Key is EORed with pcd(79)...pcd(40). The result is Effective 
Authentication Key eak(39)...eak(0). This part is the same as one in Drv_Auth. 

- Auth_Scheduler 

It is initialized by Effective Authentication Key eak(39)...eak(0), and outputs 30 
bytes Intermediate Authentication Key which is denoted as iak(n,7)...iak(n,0) for 

n=29-0. 

This part is the same as one in Drv_Auth. 

- Auth_Substitutor 

It calculates Drv_Res (RD(39)...RD(0)) using Permutated CD (pcd(39)...pcd(0)) , 
Permutated ACC (pacc(4)...pacc(0)) and Intermediate Authentication Key 
(iak(n,7)...iak(n,0) for n=29-0 ) . This part is the same as one in Drv.Auth. 
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Dec_Bit_Perm permutates 5 bits input (acc(4)...acc(0)) to 5 bits output (pacc(4)...pacc(0)). 
The relation between input bit and output bit is as follows : 
pacc(4)=acc(3) 

pacc(3)=~acc(4) means negation. 

pacc(2)=acc(l) 

pacc(l)=~acc(0) 

pacc(0)=acc(2) 


4.4 Key sharing algorithm — Key_Share 

Key sharing algorithm "Key_Share" is used to calculate sharing key "Bus Key" from 
Concatenated Response Data on both Decoder and Drive : 


Key_Share has 5 bits Authentication Control Code "ACC", 80 bits Concatenated Response 
Data as input, and 40 bits Bus Key as output We define how to create Concatenated 
Response Data later. Each bit of ACC is denoted as accGQ^cc(O), each bit of Concatenated 
Response Data is CRD(79)...CRD(0), each bit of Bp^^^^y^bk(39)...bk(0). 



"Key_Share" consists of following parts : 

- Key_Byte_Perm ^ 

Each byte of 80 bits Concajei»tM.^esponse Data is permutated to Permutated CD. 
Each bit of Concatenat^fe^^^^Data is denoted as CRD(79)...CRD(0), and each 
bit of Permutated as pcd(79)...pcd(0). 

- Key_Bit_Perm x-— \ 'v 

Each biujf^voQ^^^C is permutated to Permutated ACC. 

Each biibRAOCTs denoted as acc(4)...acc(0), and each bit of Permutated ACC is 
denoted as p^c(4)...pacc(0). 

- Authentication Key 

Authentication Key ak(39)...ak(0) is 40 bits length, and it is the same as one in 
Drv_Auth. 

-EOR 

Authentication Key is EORed with pcd(79)...pcd(40). The result is Effective 
Authentication Key eak(39)...eak(0). This part is the same as one in Drv_Auth. 

- Auth_Scheduler 

It is initialized by Effective Authentication Key eak(39)...eak(0), and outputs 30 
bytes Intermediate Authentication Key which is denoted as iak(n,7)...iak(n,0) for 
n=29-0. 

This part is the same as one in Drv_Auth. 

- Auth_Substitutor 

It calculates Bus Key (bk(39)...bk(0)) using Permutated CD (pcd(39)...pcd(0)) , 
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Key_Bit_Perm permutates 5 bits input (acc(4)...acc(0)) to 5 bits output (pacc(4)...pacc(0)). 

The relation between input bit and output bit is as follows : 
pacc(4)=-acc(2) means negation 
pacc(3)=acc(0) 
pacc(2)=acc(l) 
pacc(l)=~acc(3) 
pacc(0)=acc(4) 


[How to create Concatenated Response Data] 

Concatenated Response Data that is denoted as 'T)ec_Succ" in the protocol is created by 
concatenating Drv_Ref and Dec_Res. 

Each bit of internal input "Dec_Succ" (CRD(79)...CRD(0)) is as follows : 
CRD(79)...CRD(72)=RD(39)...RD(32) of Dec_Res 
CRD(71)...CRD(64)=RD(31)...RD(24) of Dec_Res 
CRD(63)...CRD(56)=RD(23)...RD(16) of Dec_Re: 
CRD(55)...CRD(48)=RD(15)...RD(8) of DecJ 
CRD(47)...CRD(40)=RD(7)...RD(0) of Dei 


CRD(39)...CRD(32)=RD(39) 
CRD(3 1 )...CRD(24)=RD(3 1 
CRD(23)...CRD(16)= 
CRD(15)...CRD(8)= 


CRD(7)...CRD 






.(32)MfJ2>fv Ref 
24) of Drv_Ref 
) of Drv_Ref 
(8) of Drv_Ref 


RD(0) of Drv_Ref 


4.5 Bus-DecryptiCT^lkdrithm — Bus-Decrypt 

On Disc Inserted, 2<)^ bytes of Bus-Encrypted Secured Disc Key data is divided into 409 
of 5 bytes blocks (Block0,...Block408 from the top) and a 3 bytes block (Block409). Each 
5 bytes block is denoted by bebd(39)...bebd(0). Table2 shows B>le/Bit Order of 
Bus-Encrypted Secured Disc Key data. 

Each Bus-Encrypted Block data is EORed with the time variable key BK (it is denoted as 
bk(39)...bk(0)). The result. Block data, is described as 
bd(39)...bd(0) = bebd(39)...bebd(0) 0 bk(39)...bk(0). 

Universal BK is used to decrypt every 40 bits of Bus-Encrypted Secured Disc Key data. 
Bus-Decryption of the Block409 which has 3 bytes block data is arbitrary. 


Before a playback of VTS, 40 bits of Bus-Encrypted Encrypted Title Key, 
beetk(39)...beetk(0), is EORed with the BK. The result. Encrypted Title Key, is described 
as 

etk(39)...etk(0) = beetk(39)...beetk(0) 0 bk(39)...bk(0). 
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(2) Decoder Card receives response data Drv_Res from DVD-ROM Drive. 

(3) Decoder Card calculates Vi=Drv_Auth(i, Drv_Chal) for i=3 1 -0, and finds the first 

'i' such that Drv_Res=Vi. And sets ACC==i, and Drv_Ref=Vi. If not found, abort 
Authentication process. 


[ Decoder authentication ] 

DVD-ROM Drive authenticates Decoder Card as follows : 

(4) Decoder Card receives 80 bits random number Dec_Chal from DVD-ROM Drive. 

(5) Decoder Card calculates response data such as Dec_Res=Dec_Auth(ACC, 
Dec_Chal) using the Drv_Auth function indicated by ACC, and sends back to 
DVD-ROM Drive. 

(6) Decoder Card calculates Concatenated Response Data (Dec_Succ) using Dec_Res 

and Drv_Ref as in 4.4. 

DVD-ROM Drive authenticates Decoder Card using Dec_Chal and the corresponding 
Dec Res. 


[ Sharing a time variable key ] 

(7) Decoder Card calculates BK=Key_: 
After (l)-(7), proper DVD-ROM Drive 
variable key BK. 






Dec_Succ) using 'ACC in (3). 
ecoder Card pair can share the same time 


[ Bus-Decryption ] 

- On Disc insei 

(8) Decodep-C^^^^ves Bus-Encrypted Secured Disc Key data SK from DVD-ROM 

Driv^ 

(9) Decoder Card decrypts Bus-Encrypted Secured Disc Key data using BK and obtains 

Secured Disc Key data (2048 bytes). 


- Before a playback of VTS 

(8) Decoder Card receives Bus-Encrypted Encrypted Title Key SK from DVD-ROM 

Drive. 

(9) Decoder Card decrypts Bus-Encrypted Encrypted Title Key using BK and obtains 

Encrypted Title Key (40 bits). 

After the process explained above. Decoder Card gets Secured Disc Key data (2048 
bytes). Encrypted Title Key (40 bits) and Scrambled AV data. 

Then Decoder Card operates the following Descramble process using them. 
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.DVD-ROM Drive., 


(1) Drv_Chal 


(2) Drv_Res 


(4) Dec_Chal 


(5) Dec_Res 


incrypt ed 
'pted Title Key 

SK 



- Decoder Card - 

Secret Oneway Functions: 

Drv_Auth(i,j), EDec__Auth(i,j), Key_Share(i,j) 
i=0^31, j: 80bit data 

[ Drive authentication] 

(1) Generate 80bit random number Drv_Chal 

(time variable) 

(3) for 1=31-0 

Calculate Vi=Drv_Auth(i, DrvjChal) 

Find the first V such that Drv__Res=Vi. 

And set Acc=i and Drv_Ref=Vi. 

If NOT FOUND, abort Authentication process. 

uthentication] 

;_Auth(Acc, Dec^Chal) 

► 

c_Succ(Drv_Ref, Dec_Res) 


[ Sharing a time variable Key] 

7) Set a time variable Bus Key 
' BK=Key_Share(Acc, Dec_Succ) 


\ 



[ Bus-Decryption] 
(9) ETK = Bus-Decrypt(BK, SK) 

ETK : Encrypted Title Key 


Fig.9. Bus-Authentication/Deciyption scheme before a playback of VTS 
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(Annex-A) Authentication Key 

This part is intentionally left blank. 


for Aulhcnlicalor on Decoder Can! Verst 


ersion 0.9 October 1996 



(Annex_B) Pre-Table 

This pan is intentionally left blank. 


(Annex_C) Post-Table 

This pan is intentionally left blank. 
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